cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
390
Views
15
Helpful
4
Replies
Participant

SSL VPN two-factor authentication timeout

What controls the two-factor (SecurID in this case) authentication timeout when authenticating against Cisco ASA5525x SSL VPN?

This is timeout that occurs after the user has provided their username and PIN BUT before they enter their tokencode?

Is this controlled in RSA or on the ASA?

 

Please help.

 

Thanks.

4 REPLIES 4
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: SSL VPN two-factor authentication timeout

Hi,

I believe the timeout you are referring to, is configured under the aaa configuration on the ASA. Reference here.

 

E.g:- aaa-server RADIUS-SVR host 192.168.10.20 timeout 20

 

HTH

 

 

VIP Advisor

Re: SSL VPN two-factor authentication timeout

It can be by both depending if the message arrived at ASA and forwaded or
not yet arrived.
VIP Advocate

Re: SSL VPN two-factor authentication timeout

There is a 12 second default timeout for the AnyConnect authentication prompt. This is controlled by the AnyConnect profile setting. You might want to change it to 60 seconds or so. 

 

 

There are also timeouts for the ASA to reach the AAA server like @RJI mentioned. But which timeout plays a role depends on at what point he/she faces the timeout. If the timeout happens when the prompt is up, then it is the Authentication timeout I mentioned above. If it is something after the username/password is sent, then it is most likely a AAA server timeout. 

Participant

Re: SSL VPN two-factor authentication timeout

Thanks for all your responses.  I should have been a little more clear in my original post.

 

I am only referring to clientless SSL WEB VPN authentication, not AnyConnect client authentication.

 

Specifically, the timeout I am asking about is that for the token code to be entered (after username and PIN have already been provided).

Capture.PNG